Consider renaming TLS options in settings

Hi

I was helping a user fix their email settings in another Forum who was concerned over the fact that when he went into diagnostics:

I have to go into diagnoses it searches for the settings and ends up with special port legacy settings which eMClient say its not a preferred port connection.

While I can’t comment on what’s been said, I do feel that the SSL/TLS options are confusing.

image

Consider the above image taken from the IMAP settings page.

em Client is the ONLY client I have seen currently that describes the SSL/TLS settings this way. The wording is also confusing to novices as very few email providers would use it.

Consider the 2 types of SSL/TLS connection

Implicit SSL/TLS

Implicit SSL/TLS is where the SSL/TLS requirement is implied by virtue of using a designated port. Clients connecting to that port automatically begin an SSL/TLS handshake. If a client attempts anything other then a handshake then the server ignores the traffic and the connection ends up timing out.

Most Email providers refer to this setting simply as SSL/TLS although nowadays most connections will occur over TLS 1 and above (ideally TLS 1.2 and 1.3)

This is the setting you refer to as - Use SSL/TLS on Special Port (legacy)

Explicit TLS (StartTLS)

In this connection there is no special port used. Instead the client will connect using a plain text connection and check the server’s capabilities looking for a STARTTLS capability. If this is advertised then the client will issue a STARTTLS command (SMTP and IMAP) or STLS command (POP3) which asks the server if it can upgrade to a secure connection.

Because of the command used this is usually referred to as StartTLS security (although if the server only supported the older SSL standards, the connection could equally be made over SSL - although this is unlikely)

You have two options for this.

Use SSL/TLS if available.
Force usage of SSL/TLS

Now I’ve gotten the explanation out of the way let me detail why the use of the term (Legacy) in the Implicit SSL/TLS connection is wrong.

When SSL/TLS was rolled out the following ports were suggested.

995 POP3S
993 IMAPS
465 SMTPS

Port 465 SMTPS was withdrawn about a year after it was first proposed, but by that time many email submission servers had added support for port 465 SSL/TLS

Thus many providers who supported SSL/TLS used those three ports, even after email submission on port 587 with StartTLS was made a standard.

Jump to 2018 and the standards have once again changed:
RFC8314 https://tools.ietf.org/html/rfc8314 recommends that Implicit TLS on a special port be the norm for connections (apart from mail delivery) and IANA recognises the following use for port 465
submissions 465 - Email submission over TLS

Therefore Implicit SSL/TLS - should not be regarded as a legacy connection IMHO and your options should be reworded to reflect that fact.

2 Likes